Networking¶
This documentation section is designed to guide you through the process of setting up and managing the networking of TeskaLabs LogMan.io. To ensure seamless functionality, it is important to follow the prescribed network configuration described below.
Schema: Network overview of the LogMan.io cluster.
Fronting network¶
The fronting network is a private L2 or L3 segment that serves for log collection. For that reason, it has to be accessible from all log sources.
Each node (server) has a dedicated IPv4 address on a fronting network. IPv6 is also supported.
Fronting network must be available at all locations of the LogMan.io cluster.
User network¶
The user network is a private L2 or L3 segment that serves for a user access to Web User Interface. For that reason, it has to be accessible for all users.
Each node (server) has a dedicated IPv4 address on a user network. IPv6 is also supported.
User network must be available at all locations of the LogMan.io cluster.
Internal network¶
The internal network is a private L2 or L3 segment that is used for private cluster communication. It MUST BE dedicated to the TeskaLabs LogMan.io to maintain the security envelope of the cluster. The internal network must provide the encryption if it is operated in the shared environment (ie as VLAN). This is critical requirement for a security of the cluster.
Each node (server) has a dedicated IPv4 address on an internal network. IPv6 is also supported.
Additionally, IPMI of hardware nodes can be exposed to this network, on the additional IP address (both IPv4 and IPv6).
Internal network must be available at all locations of the LogMan.io cluster.
Containers running on the node use "network mode" set to "host" on the internal network. It means that container’s network stack is not isolated from the node (host), and the container does not get its own IP address.
Administrators MAY access the internal network using VPN.
Connectivity¶
Each node (aka server) has following connectivity requirement:
Fronting network¶
- Minimal: 1Gbit NIC
- Recommended: 2x bonded 10Gbit NIC
User network¶
- Minimal: shared with the fronting network
- Recommended: 1Gbit NIC
Internal network¶
- Minimal: No NIC, internal only for a single node installations, 1Gbit
- Recommended: 2x bonded 10Gbit NIC
- IPMI if available at the server level
Internet connectivity (NAT, Firewalled, behind proxy server) using Fronting network OR Internal network.
Communication¶
Fronting network¶
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| LogMan.io node | DNS servers | udp | 53 | Based on the configuration |
| LogMan.io node | DNS servers | tcp | 53 | Based on the configuration |
| LogMan.io node | NTP servers | udp | 123 | Based on the configuration |
| LogMan.io node | SMTP server | tcp | 25 | Plain text (non-encrypted) traffic, not recommended |
| LogMan.io node | SMTP server | tcp | 465 | Encrypted using STARTTLS |
| LogMan.io node | SMTP server | tcp | 587 | Encrypted using SMTPS |
| LogMan.io node | LDAP server | tcp | 389 | Plain text (non-encrypted) traffic, not recommended |
| LogMan.io node | LDAP server | tcp | 686 | Encrypted using LDAPS |
| LogMan.io node | LDAP server | tcp | 3268 | Plain text (non-encrypted) traffic, not recommended |
| LogMan.io node | LDAP server | tcp | 3269 | Encrypted using LDAPS |
| Log collector | LogMan.io node | tcp | 443 | Encrypted using Mutual TLS 1.2 |
| Log collector | LogMan.io node | udp | 41194 | VPN (optional) |
| LogMan.io node | Slack servers | tcp | 443 | Notifications (optional) |
| LogMan.io node | MS Teams servers | tcp | 443 | Notifications (optional) |
| LogMan.io node | Sentry.io | tcp | 443 | System telemetry (optional) |
| LogMan.io node | Update of software | tcp | 443 | docker.teskalabs.com, pcr.teskalabs.com, rcr.teskalabs.com, registry-1.docker.io, auth.docker.io, production.cloudflare.docker.com (optional) |
| LogMan.io node | Update of content | tcp | 443 | libsreg.z6.web.core.windows.net, libsreg-secondary.z6.web.core.windows.net (optional) |
| LogMan.io node | Update of OS | tcp | 443, 80 | archive.ubuntu.com, security.ubuntu.com, cz.archive.ubuntu.com |
Tip
Every outgoing HTTPS communication can use a proxy server. Configure your proxy server to allow traffic to specified domain names.
User network¶
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| Users | LogMan.io node | tcp | 443 | |
| Users | LogMan.io node | tcp | 80 | Only for forwarding to HTTPS (optional) |
Tip
The user access is ballanced using Round-robin DNS.
Internal network¶
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| LogMan.io node | LogMan.io node | udp | 41194 | VPN |
| Administrators | LogMan.io node | tcp | 22 | SSH (optional) |
| Administrators | IPMI | tcp | 443 | On dedicated ethernet port / IP address (optional) |
Log collector¶
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| Log collector | DNS servers | udp | 53 | |
| Log collector | DNS servers | tcp | 53 | |
| Log collector | NTP servers | udp | 123 | |
| Log collector | LogMan.io node | tcp | 443 | Encrypted using Mutual TLS 1.2 |
| Log collector | LogMan.io node | udp | 41194 | VPN (optional) |
| Administrators | Log collector | tcp | 22 | SSH přístup administrátorů (volitelně) |
| Log collector | Update of software | tcp | 443 | docker.teskalabs.com, pcr.teskalabs.com, rcr.teskalabs.com, registry-1.docker.io, auth.docker.io, production.cloudflare.docker.com (optional) |
| Log collector | Update of OS | tcp | 443 | archive.ubuntu.com, security.ubuntu.com (optional) |
Syslog¶
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| Log sources | Log collector | tcp | 514 | Syslog |
| Log sources | Log collector | udp | 514 | Syslog |
| Log sources | Log collector | tcp | 6514 | Syslog with SSL / TLS |
| Log sources | Log collector | udp | 20514 | REPL |
| Log sources | Log collector | tcp | 10000…14099 | Custom log source port range (optional) |
| Log sources | Log collector | udp | 10000…14099 | Custom log source port range (optional) |
Microsoft¶
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| MS Windows | Log collector | tcp | 5986 | Log collection from Microsoft Windows using WEF, encrypted by HTTPS (optional) |
| MS Windows | Log collector | tcp | 5985 | Log collection from Microsoft Windows using WEF, encrypted by Kerberos (optional) |
| MS Windows | Log collector | tcp | 88 | Kerberos authorization version 5 for WEF (optional) |
| MS Windows | Log collector | udp | 88 | Kerberos authorization version 5 for WEF (optional) |
| Log collector | KDC, MS AD | tcp | 88 | Kerberos authorization version 5 for WEF (optional) |
| Log collector | KDC, MS AD | udp | 88 | Kerberos authorization version 5 for WEF (optional) |
| Log collector | Microsoft 365 | tcp | 443 | Log collection from Microsoft 365 (optional) |
ODBC¶
For log collection from database systems, ODBC is employed.
| Source | Destination | Protocol | Port | Note |
|---|---|---|---|---|
| Log collector | Oracle Database | tcp | 1521 | |
| Log collector | Microsoft SQL | tcp | 1433 | |
| Log collector | Microsoft SQL | udp | 1434 | |
| Log collector | MySQL | tcp | 3306 | |
| Log collector | PostgreSQL | tcp | 5432 |
SSL Server Certificate¶
The fronting network and the user network exposes web interfaces over HTTPS on the port TCP/443. For this reason, the LogMan.io needs an SSL Server certificate.
It could be either:
- self-signed SSL server certificate
- SSL server certificate issued by the Certificate Authority operated internally by the user
- SSL server certificate issued by a public (commercial) Certificate Authority
Tip
You can use XCA tool to generate or verify your SSL certificates.
Self-signed certificate¶
This option is suitable for very small deployments.
Users will get warnings from thier browsers when accessing LogMan.io Web interface.
Also insecure flags needs to be used in collectors.
Create a self-signed SSL certificate using OpenSSL command-line
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-keyout key.pem -out cert.pem -sha256 -days 3650 -nodes \
-subj "/CN=logman.int"
This command will create key.pem (a private key) and cert.pem (a certificate), for internal domain name logman.int.
Certificate from Certificate Authority¶
Parameters for the SSL Server certificate:
- Private key: EC 384 bit, curve secp384p1 (minimum), alternatively RSA 2048 (minimum)
- Subject Common name
CN: Fully Qualified Domain Name of the LogMan.io user Web UI - X509v3 Subject Alternative Name: Fully Qualified Domain Name of the LogMan.io user Web UI set to "DNS"
- Type: End Entity, critical
- X509v3 Subject Key Identifier set
- X509v3 Authority Key Identifier set
- X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
- X509v3 Extended Key Usage: TLS Web Server Authentication
Example of SSL Server certificate for http://logman.example.com/
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6227131463912672678 (0x566b3712dc2c4da6)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = logman.example.com
Validity
Not Before: Nov 16 11:17:00 2023 GMT
Not After : Nov 15 11:17:00 2024 GMT
Subject: CN = logman.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:79:e2:9f:69:cb:ac:f5:3f:93:43:56:a5:ac:d7:
cf:97:f9:ba:44:ee:9b:53:89:19:fd:91:02:0d:bd:
59:41:d6:ec:c6:2b:01:33:03:b6:3e:4a:1d:f4:e9:
2c:3f:af:49:92:79:9c:00:0b:0b:e3:28:7b:13:33:
b4:ac:88:d7:9c:0a:7b:95:90:09:a2:f7:aa:ce:7c:
51:3e:3a:94:af:a8:4b:65:4f:82:90:6a:2f:a9:57:
25:6f:5f:80:09:4c:cb
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
49:7A:34:F8:A6:EB:6D:8E:92:42:57:BB:EB:2D:B3:82:F4:98:9D:17
X509v3 Authority Key Identifier:
49:7A:34:F8:A6:EB:6D:8E:92:42:57:BB:EB:2D:B3:82:F4:98:9D:17
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:logman.example.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:64:02:30:16:09:95:f4:04:1b:99:f4:06:ef:1e:63:4e:aa:
1d:21:b0:b1:31:c1:84:9a:a9:55:c6:14:bd:a1:62:c5:14:14:
35:73:da:8b:a8:7b:f2:f6:4c:8c:b0:6b:72:79:5f:4c:02:30:
49:6f:ef:05:0f:dd:28:fb:26:f8:76:71:01:f3:e4:da:63:72:
17:db:96:fb:5c:09:43:f8:7b:3b:a1:b6:dc:23:31:66:5d:23:
18:94:0b:e4:af:8b:57:1e:c3:3d:93:6f
Generate a CSR¶
If the Certificate Authority requires CSR to be submitted to receive a SSL certificate, follow this procedure:
1. Generate a private key:
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.pem
This command will create key.pem with the private key.
2. Create CSR using generated private key:
openssl req -new -key key.pem -out csr.pem -subj "/CN=logman.example.com"
This command will produce csr.pem file with that Certificate Signing Request.
Replace logman.example.com with the FQDN (domain name) of the LogMan.io deployment.
3. Submit the CSR to a Certificate Authority
The Certificate Authority will generate a certificate, store it in a cert.pem in a PEM format.